Server Fault Asked by allo on December 26, 2020
As far as i understood, it should be sufficient to upgrade openssl (done a long time ago, now installed all available updates again (no openssl there)) and restart nginx.
I even tried to stop nginx fully (verified it with ps
) and start it again.
But ssllabs still tells me, that i am vulnerable. What else do i need to do, or what can be causing that its still vulnerable?
versions:
ii nginx 1.9.10-1 all small, powerful, scalable web/proxy server
ii nginx-common 1.9.10-1 all small, powerful, scalable web/proxy server - common files
ii nginx-full 1.9.10-1 amd64 nginx web/proxy server (standard version)
ii openssl 1.0.1t-1+deb8u2 amd64 Secure Sockets Layer toolkit - cryptographic utility
ii libssl-dev:amd64 1.0.1t-1+deb8u2 amd64 Secure Sockets Layer toolkit - development files
ii libssl-doc 1.0.1t-1+deb8u2 all Secure Sockets Layer toolkit - development documentation
ii libssl1.0.0:amd64 1.0.1t-1+deb8u2 amd64 Secure Sockets Layer toolkit - shared libraries
ii libssl1.0.2:amd64 1.0.2f-2 amd64 Secure Sockets Layer toolkit - shared libraries
lsof related to nginx
lsof 2>/dev/null |grep -i libssl|grep nginx
nginx 17928 root mem REG 251,0 430560 2884885 /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2
nginx 17929 www-data mem REG 251,0 430560 2884885 /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2
nginx 17930 www-data mem REG 251,0 430560 2884885 /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2
nginx 17932 www-data mem REG 251,0 430560 2884885 /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2
nginx 17933 www-data mem REG 251,0 430560 2884885 /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2
I got it.
I installed certbot
from debian unstable, which installed 1.0.2f-2
. unstable is pinned to priority "-100" (do not install from unstable unless requested with -t unstable
). This means the version is between the jessie version 1.0.0X-Y
and the current unstable version 1.0.2.h-1
. This prevented an upgrade to the next version in unstable, while the upgrade in stable is an "older" version with respect to the version number.
Correct answer by allo on December 26, 2020
Installing the necessary updates ( as suggested by https://serverfault.com/users/126632/michael-hampton in the comments ) seems to fix the issue for me.
apt-get update && apt-get upgrade
Answered by drinchev on December 26, 2020
I had a similar issue on a Debian Wheezy Server. https://www.ssllabs.com/ssltest/ always showed that my server was vulnerable to CVE-2016-2107
. Other servers ,with (in my opinion) same config, did not have this security issue.
openssl, apache, php - all the same versions and same config.
After some investigation i found out that mod_spdy
was installed and activated on this particular server.
After uninstalling mod_spdy
the issue was solved.
dpkg -r mod-spdy-beta
dpkg -P mod-spdy-beta
from https://stackoverflow.com/questions/25593257/how-do-i-remove-spdy-mod-spdy
Answered by Martin Seitl on December 26, 2020
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP